topic VA 7.1 using HTTPS in SAS Visual Analytics

VA 7.1 using HTTPS

franz — Tue, 28 Oct 2014 15:46:21 GMT

Hi,

I have installed VA 7.1 SMP, the mid tier is configured to use HTTPS, we use a certificate signed by Thwate. I am having a problem when trying to start the LASR Server, I get the following error:

ERROR: Unable to register LASR server with authentication service.

I have setup the SSLCALISTLOC option for the SAS Workspace to correctly point to the pem certificate used by the SAS Web Server but I end up with the same error, I have also created a certficate with all the certificates in the CA path and again I get the same error.

SAS Tech Support have suggested to change the protocol to HTTP for just the SASLASRAuthorization endpoint, which I have done. I have changed the LASR Auth service definition in the Metadata and also added a RewriteRule to the Web Server configuration so that all services but SASLASRAuthorization are redirected to HTTPS if called with HTTP.

This way I can start the LASR Server from SAS SAS BASE or EG, but I get a different error from within the web applications, related to spring CAS.

2014-10-27 15:38:09,224 [tomcat-http--25] ERROR org.jasig.cas.CentralAuthenticationServiceImpl - ServiceTicket [ST-37-xdZfcI6wAdiJF0jvL9bl-cas] with service [http://hostname/SASLASRAuthorization/rest/servers/details does not match supplied service [https://hostname/SASLASRAuthorization/rest/servers/details]

2014-10-27 15:38:09,228 [tomcat-http--45] ERROR [ST-29-l5Wxwhx76DgPCMubXvYZ-caslsradmin] com.sas.lasr.mgmt.client.serviceproxy.LasrMgmtServiceProxy - http://hostname/SASLASRAuthorization/rest/servers/details?ticket=ST-37-xdZfcI6wAdiJF0jvL9bl-cas

2014-10-27 15:38:09,228 [tomcat-http--45] ERROR [ST-29-l5Wxwhx76DgPCMubXvYZ-caslsradmin] com.sas.lasr.mgmt.client.serviceproxy.LasrMgmtServiceProxy - org.springframework.web.client.HttpClientErrorException: 401 Unauthorized

With versions 6.x of VA I never had this problem, all was working with just the standard certificate.

Has anyone any idea? I am stuck.

Thanks, Frances

Re: VA 7.1 using HTTPS

franz — Thu, 18 Dec 2014 14:36:57 GMT

FYI, this was fixed. Thanks

Re: VA 7.1 using HTTPS

dursergio — Thu, 18 Dec 2014 16:50:19 GMT

Hi Francesco,

how did you solve this problem?

I would be interested for same activity

Thank's

Sergio

Re: VA 7.1 using HTTPS

shatrughan — Wed, 25 Feb 2015 10:06:43 GMT

Please let us know how you fixed the issue.

Thanks

Re: VA 7.1 using HTTPS

franz — Wed, 25 Feb 2015 13:19:38 GMT

My certificate is signed by Thwate, ie an "official" certificates provider, this means the root and intermediate certificates are already installed on the system (in my case RHEL) when you install openSSL so I pointed SAS to the certificate bundle that comes with openSSL.

To confirm the correct location of the certicates bundle, on your system type

[root@srvname certs]# openssl version -d

OPENSSLDIR: "/etc/pki/tls"

[root@srvname certs]# pwd

/etc/pki/tls/certs

[root@srvname certs]# ls -l

total 1768

-rw-r--r--. 1 root root 786601 Jun 24 11:22 ca-bundle.crt

-rw-r--r--. 1root root 1005005 Jun 24 11:22 ca-bundle.trust.crt

....

then in SAS cfg file

/sas/SASHome/SASFoundation/9.4/sasv9_local.cfg

add the following line

-sslcalistloc /etc/pki/tls/certs/ca-bundle.trust.crt

and that's it. Note that you can add the sslcalistloc in other cfg files, I added it to the foundation cfg file because that way it's picked up by all SAS processes, regardless of their class (ie workspace, stp server, olap and so on).

SAS documentation is not very clear and I find it misleading in cases like this where the certificate is not self-signed.

Hope this helps, regards

Re: VA 7.1 using HTTPS

shatrughan — Tue, 17 Mar 2015 05:28:11 GMT

Hi francesco,

I tried your suggestions but I am still not able to start my lasr server.

ERROR: OpenSSL error 336134278 (0x14090086) occurred in SSL_connect/accept at
line 4827, the error message is "error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed".
ERROR: Encryption run-time execution error

ERROR: Unable to register LASR server with authentication service.
NOTE: The SAS System stopped processing this step because of errors.
NOTE: PROCEDURE LASR used (Total process time):
real time 10.77 seconds
cpu time 0.04 seconds

Any idea on this error. My sasv9_local.cfg file is point towards /etc/pki/tls/certs/ca-bundle.trust.crt .

I infact tried setting SSLCALISTLOC variable to all sort of cert available like .pem, .csr, .crt etc. but nothing worked for me.

Re: VA 7.1 using HTTPS

cj_blake — Sat, 21 Mar 2015 09:35:21 GMT

I had exactly the same problem and I am using a self signed certificate. The problem was resolved by pointing the -sslcalistloc option to the PEM encoded certificate that is being used by the SAS Web Server. After doing that, it all worked perfectly.

Re: VA 7.1 using HTTPS

franz — Wed, 25 Mar 2015 13:42:32 GMT

Hi, yes this is the way described in the SAS Documentation and it works just fine, my answer is applicable for certificates signed by an external CA.

Regards